LetsEncryt certificate is OK but Brouser set unsecure page

Hi
I´m using Nextcloud 20.0.8 and NextcloudPI 1.35.0.
I chose port 4444 for my nextcloud, (in the recent past it works like a charm).
After a time when I go to the my nextcloud https://aabento.pt:4444 it started given a message that the page is not safe anymore in all browsers.

Another error was that “fail SSL renewal”.
If I try to renew the Letsencrypt certificate it works well with no error.

Because I’m not an expert I tried several solutions indicated in foruns but nothing work up to now.

Could anyone point me the way to solve this problem.
Thank you in advance.

[ letsencrypt ] (Sun Feb 28 14:09:52 GMT 2021)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/ncp
IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/aabento.pt-0002/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/aabento.pt-0002/privkey.pem
    Your cert will expire on 2021-05-29. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”
  • If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

System config value trusted_domains => 12 set to string aabento.pt
System config value overwrite.cli.url set to string https://aabento.pt/

In order for the Let’s Encrypt clients to be able to renew the certificates, Port 80 has to be open.

https://letsencrypt.org/docs/challenge-types/

Yes, it’s open.

80/tcp ALLOW Anywhere
4444/tcp ALLOW Anywhere
4443/tcp ALLOW Anywhere
22 ALLOW Anywhere
DNS ALLOW Anywhere
Samba ALLOW Anywhere
Anywhere ALLOW 192.168.0.0/16/udp
443 ALLOW Anywhere
443/tcp ALLOW Anywhere
5900 ALLOW Anywhere
5901 ALLOW Anywhere
5900:5901/tcp ALLOW Anywhere
5900:5901/udp ALLOW Anywhere
80/tcp (v6) ALLOW Anywhere (v6)
4444/tcp (v6) ALLOW Anywhere (v6)
4443/tcp (v6) ALLOW Anywhere (v6)
22 (v6) ALLOW Anywhere (v6)
DNS (v6) ALLOW Anywhere (v6)
Samba (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
5900 (v6) ALLOW Anywhere (v6)
5901 (v6) ALLOW Anywhere (v6)
5900:5901/tcp (v6) ALLOW Anywhere (v6)
5900:5901/udp (v6) ALLOW Anywhere (v6)

When I looked through your post again, I noticed that the client had apparently created a new certificate instead of renewing the existing one. You can see this from the fact that there is a -0002 in the name of the folder…

/etc/letsencrypt/live/aabento.pt-0002/privkey.pem

https://community.letsencrypt.org/t/certbot-auto-why-generate-multiple-certificate-server-key-folder/82590/14

Maybe the initial certificate had names included that now do not exist anyore…?

Questions:
How do you issue your certificats? acme, certbot…? …and on what OS is it installed?

What can you do about it?

  • you can leave it that way and adjust the path in your web server config with the risk that this will happen again the next time you renew the certificates
  • You can delete all existing certificates and reissue them. That’s what I would do.

»»»»»»You can delete all existing certificates and reissue them. That’s what I would do.»»»»»»»»

How can I do this?


My System.
System Info
NextCloudPi version v1.35.0
NextCloudPi image NextCloudPi_03-28-20
distribution Raspbian GNU/Linux 10 \n \l
automount yes
USB devices sda
datadir /media/myCloudDrive/ncdata
data in SD no
data filesystem btrfs
data disk usage 29G/932G
rootfs usage 4.1G/29G
swapfile /var/swap
dbdir /media/USBdrive/ncdatabase
Nextcloud check ok
Nextcloud version 20.0.8.1
HTTPD service up
PHP service up
MariaDB service up
Redis service up
Postfix service up
internet check ok
port check 80 open
port check 443 open
IP 192.168.1.68
gateway 192.168.1.1
interface eth0
certificates aabento.pt
NAT loopback yes
uptime 1day

I can’t provide you with an exact step by step guide for your system, because I don’t really know enough details about NextcloudPi. I had a similar issue once on my manual installation and i did the following steps:

  • deleted all certificate folders with …

sudo rm -rf /etc/letsencrypt/archive/yourdomain.com
sudo rm -rf /etc/letsencrypt/live/yourdomain.com
sudo rm -rf /etc/letsencrypt/renewal/yourdomain.com.conf

  • did the same for all the related -0001, -0002 etc folders.

  • backuped the contents of the appropriate virtualhost-le-ssl.conf file in /etc/apache/sites-available, after that I disabled and deleted it.

  • reissued the certificate with certbot --apache wich gets a new certificate and also creates a new virtualhost-le-ssl.conf file and activates it.

  • Copied the content of the old virtualhost-le-ssl.conf back into the newly created file, except for the lines concerning the certificates.

Thank you for your support.

I still have another question:

  • When you said
    ---------->Copied the content of the old virtualhost-le-ssl.conf back into the newly created file, except for the lines concerning the certificates.<------------

you mean this two lines in my mextcloud.conf?
------------->>>>>>SSLCertificateFile /etc/letsencrypt/live/aabento.pt/fullchain.pem
---------->>>>>>SSLCertificateKeyFile /etc/letsencrypt/live/aabento.pt/privkey.pem

Thank you.

you mean this two lines in my mextcloud.conf?

Yes. exactley.

btw… In this two line you can see what is causing your problem. The message you posted earlier says:

Your key file has been saved at:
/etc/letsencrypt/live/aabento.pt-0002/privkey.pem

But your config file says:

------------- >>>>>> SSLCertificateFile /etc/letsencrypt/live/aabento.pt/fullchain.pem
---------- >>>>>> SSLCertificateKeyFile /etc/letsencrypt/live/aabento.pt/privkey.pem

You could also simply adjust the paths in the config file accordingly. Maybe in in this case it is better to try that first, and only go further if the problem occurs again in the future. I cannot guarantee you, that my method works exactly the same way on your system as it did on mine, because as I said, I don’t know NextcloudPi that well. As far as I know they implemented the function to issue certificates also in the ncp-admin interface. If you decide to go further and delete the certs as I described, you should probably use the ncp-admin panel to get the new certificates, instead of using certbot directly like I did. And make sure you have backups of the contents of every config file you change or delete.

Good luck

To delete certificates you can run

sudo certbot delete

Certbot will present a numbered list of all system certificates and ask you which number you want to remove.

Hi bb77
The problem is solved.
I followed your recommendations

[quote=“bb77, post:8, topic:109398”]
You could also simply adjust the paths in the config file accordingly.
[/quote] and it solved the problem.

Thank you so much.

Thank you OliverV. I will keep it in mind for the next similar problem.

For now, I found the solution with help of bb77.
Have a nice day.